Fixing the Internet's routing security is urgent and requires collaboration

Lucian Constantin |
Feb. 29, 2016

A volunteer participation program for ISPs to prevent route hijacks and IP spoofing is gaining some traction.

Creating more incentives for ISPs to join the program is also an important issue that ISOC and the existing MANRS members are discussing. For example, some participants are considering including MANRS requirements in their peering arrangements or offering higher bandwidth peering only to MANRS-compliant network operators, Robachevsky said.

At this stage, however, the program is growing primarily by identifying and co-opting ISPs who are industry leaders from a security perspective. These are ISPs that have already implemented all of these protections on their own, independently of MANRS, he said.

It's unlikely that the MANRS recommendations will ever be adopted by all of the world's network operators and unfortunately some attacks, like DDoS reflection, will not completely disappear without widespread implementation of anti-IP spoofing measures. However, even if MANRS succeeds in creating only small, but safe neighborhoods on the Internet, it would reduce the problem.

Imagine a cybercriminal group that has access to 1,000 infected computers from around the world that are organized in a botnet. If they get a list of 1,000 misconfigured DNS or NTP servers, they could abuse those servers to amplify the traffic they could otherwise generate from those 1,000 computers by using the DDoS reflection technique.

However, if 20 percent of those infected computers were located within networks that prevent IP spoofing, the attackers wouldn't be able to use them for DDoS reflection at all, because their spoofed requests would be blocked by their ISPs and would never reach the vulnerable DNS or NTP servers.

Fortunately, the MANRS proposals will be beneficial in incremental deployments, said Danny Cooper, a security researcher at Akamai. "Even if not everyone on the Internet is participating and there's only a partial uptake, it still reduces the places on the Internet that certain attacks can be launched from."

The defense techniques proposed by MANRS are by no means perfect, and there are some techniques to partially evade them, but overall they force attackers to reduce the scope of their attacks, Cooper said.

MANRS represents a collection of pretty smart network operators that got together and came up with some best practices to improve the state of Internet routing, said Dyn's Madory. "Regardless of whether it gains adoption by all ISPs, it's certainly the right thing do. We should try to capture all the lessons learned from the various network engineers around the world and advocate for their implementation."

After all, perfect or not, there aren't many alternatives to this kind of industry self-regulation. Attacks will only get worse with the passing of time and if nothing is done, there is a danger that national governments could intervene with legislation that will endanger the openness of the Internet. The fragmentation of the Internet is already happening to some extent due to political, economic, religious and other reasons.